HIPAA Security Hounds...How would you view an AWS deployment that included a set of systems deployed together at AWS (within a single, secured Virtual Private Cloud), using a key to encrypt all storage, and only allowing authenticated users to access anything related to the deployment, and using SSL certificates (or IPsec VPN) to encrypt all traffic to and from the server systems?

If that does comply with the laws regarding of data storage and transmission of HIPAA/HITECH, and the organization properly documents and trains it's employees, are there still "open doors" from a security standpoint that should be addressed?

Thanks AJ- While I agree with Amazon's perspective, they are publishing this as the vendor of the service itself- As a result of their configuration, they do not sign BA's with HIPAA Covered entities, so gathering opinions (and sharing any facts uncovered on this issue) could save millions of dollars for many companies housing PHI.
–
JoeDJan 17 '13 at 20:39

@JoeD - that's true, but at the same time, if they published a white paper with significant problems in it, it would look very bad for them. IANAL, but claiming to be able to be HIPPA compliant might even have some legal baring since they are responsible for the physical security side of things for their servers. They do also have several case studies of other companies doing it.
–
AJ HendersonJan 17 '13 at 21:06